Back to Blog

Homelab Networking 101: VLANs, Firewalls and Security

Secure your homelab with proper network segmentation. Learn VLANs, firewall rules, and network security best practices for self-hosted infrastructure.

Posted by

Homelab network security setup

Why Network Security Matters

Your homelab likely contains sensitive data - personal files, passwords, financial documents. Without proper network segmentation, a compromised IoT device could give attackers access to everything on your network.

Network security isn't optional - it's the foundation of a secure self-hosted infrastructure.

Understanding VLANs

VLANs (Virtual Local Area Networks) allow you to segment your network into isolated zones. Devices on different VLANs cannot communicate without explicit firewall rules.

Recommended VLAN Structure:

  • VLAN 10 - Management: Network equipment, Proxmox, Portainer
  • VLAN 20 - Trusted: Personal devices, workstations
  • VLAN 30 - Servers: Docker hosts, databases
  • VLAN 40 - IoT: Smart devices, cameras (isolated)
  • VLAN 50 - Guest: Visitor devices (internet only)

Firewall Rules

Configure your firewall with these principles:

# Basic firewall rule structure (pfSense/OPNsense)

# Allow management VLAN to access everything
VLAN10 -> ANY : ALLOW

# Trusted devices can access servers
VLAN20 -> VLAN30 : ALLOW (specific ports)

# Servers can access internet (for updates)
VLAN30 -> WAN : ALLOW

# IoT devices - internet only, no local access
VLAN40 -> WAN : ALLOW
VLAN40 -> VLAN10/20/30 : DENY

# Guest - internet only
VLAN50 -> WAN : ALLOW
VLAN50 -> ANY_LOCAL : DENY

Docker Network Security

Docker containers also need network isolation:

# Create isolated Docker networks
docker network create --driver bridge frontend
docker network create --driver bridge backend
docker network create --internal database

# In docker-compose.yml
networks:
  frontend:
    external: true
  backend:
    external: true
  database:
    internal: true  # No external access

Essential Security Checklist

  • Change default passwords on all network equipment
  • Disable UPnP on your router
  • Use a separate admin network for management
  • Enable logging on your firewall
  • Regularly update firmware and software
  • Use VPN for remote access, never port forward

Continue Reading